Fibratus : Tool for Exploration & Tracing of the Windows Kernel

Fibratus is a tool which is able to capture the most of the Windows kernel activity – process/thread creation and termination, context switches, file system I/O, registry, network activity, DLL loading/unloading and much more.

The kernel events can be easily streamed to a number of output sinks like AMQP message brokers, Elasticsearch clusters or standard output stream.

You can use filaments (lightweight Python modules) to extend it with your own arsenal of tools and so leverage the power of the Python’s ecosystem.

Also Read : Crashcast-Exploit : Tool To Mass Play YouTube Video, Terminate Apps & Rename Chromecast Device

Installation

Download the latest release (Windows installer). The changelog and older releases can be found here.

Alternatively, you can get it from PyPI.

• Install the dependencies
  • Download and install Python 3.4.
  • Install Visual Studio 2015 (you’ll only need the Visual C compiler to build the kstreamc extension). Make sure to export the VS100COMNTOOLS environment variable so it points to %VS140COMNTOOLS%.
  • Get Cython: pip install Cython >=0.23.4.
• Install fibratus via the pip package manager:

pip install fibratus